SEC Issues Proposed Rules on Mandatory Cybersecurity Disclosure

ESG Collaborative Update

Date: March 10, 2022

During 2021, the SEC began to emphasize its interest in environmental, social and governance (“ESG”) issues; among other things, it indicated its intent to issue rules on an array of ESG matters, including climate-based disclosures. It kicked off its ESG rulemaking in December 2021 by issuing proposed rules regarding stock repurchases and Rule 10b5‑1 plans and insider trading, which we reviewed here.

One major ESG area, cybersecurity, has been on the SEC’s radar for a number of years; it initially issued guidance in 2011, which it expanded upon in 2018. The SEC made it clear that cybersecurity remained an area of focus in recent years; most recently, SEC Chair Gary Gensler gave a speech in January 2022 in which he announced that he asked staff to recommend rule disclosures regarding cybersecurity practices and risk disclosures and public disclosure of cyber events, aiming for information “presented in a consistent, comparable, and decision-useful manner”.  

On March 9, 2022, the proposal arrived. The SEC released a proposed rule intended to enhance and standardize disclosures relating to cybersecurity risk management, strategy, governance, and incident reporting. Companies would be required to tag the new disclosures described below using iXBRL.

  • Current disclosure of “material” incidents on Form 8-K: The proposed rule would require a company to report it experienced a “material” cybersecurity incident under new Item 1.05 on Form 8-K, within four business days of determining such incident occurred. The company would need to indicate the nature and scope of the incident, when it was discovered, and whether it remains ongoing; whether any data was stolen, altered, accessed, or used for any other unauthorized purpose; its effect on the company’s operations; and whether the company remediated the incident, or is in the process of doing so. Proposed Form 8-K instructions would require companies to make the materiality determination “as soon as reasonably practicable after discovery of the incident,” and the proposal notes that, while the trigger date may be the same date an incident is discovered, in some cases, the materiality determination may be made at a later date. Materiality should be assessed consistent with securities laws; the proposed rule notes that, “[e]ven if the probability of an adverse consequence is relatively low, if the magnitude of the loss or liability is high, the incident may still be material”. The proposal includes several examples of cybersecurity incidents that could trigger the proposed disclosure. Any failure to timely report an incident under Item 1.05 would not affect a company’s ability to use a Registration Statement on Form S-3.
  • Periodic disclosures: The proposed rule would add a new Item 106 and Item 407(j) to Regulation S-K, which would require additional disclosures in companies’ quarterly and annual reports on Forms 10-Q and 10-K, including adding a new Item 1.C. Cybersecurity to Form 10-K.

           Item 106 would require, among other things:

    • A description of any policies and procedures for identifying and managing cybersecurity risks, including (i) whether the company has a cybersecurity risk assessment program, (ii) certain information regarding third parties, including if the company engages assessors, consultants, auditors, or other third parties in connection with any cybersecurity risk assessment program and whether it has policies and procedures to oversee and identify cybersecurity risks associated with the use of any third-party service provider, (iii) whether the company undertakes activities to prevent, detect, and minimize the impact of cybersecurity incidents or has business continuity, contingency, and recovery plans in the event of any such incidents, (iv) whether the company revised its governance, policies and procedures, or technologies as a result of any cyber incidents, (v) whether, and how, cybersecurity-related risks and incidents have affected, or are reasonably likely to affect, results of operations or financial condition, and (vi) whether the company considers cybersecurity risks as part of its business strategy financial planning, and capital allocation;
    • Management’s role in assessing and managing cybersecurity risks and in implementing any cybersecurity policies, procedures, and strategies, including (i) whether certain roles or committees are responsible for measuring and managing cybersecurity risk, particularly the prevention, mitigation, detection, and remediation of cyber incidents, and such persons’ relevant expertise, (ii) whether the company has a designated chief information security officer (or someone in a comparable position), such person’s relevant expertise, and to whom he or she reports, (iii) how such persons or committees are informed about, and monitor, the prevention, mitigation, detection and remediation of cybersecurity incidents, and (iv) whether, and how often, such persons or committees report to the board or a board committee regarding cybersecurity risk;
    • Disclosure regarding the board’s oversight of cybersecurity risk, including whether the board, a committee, or specific directors have oversight responsibility, how management keeps the board informed, the frequency of cybersecurity risk discussions, and whether, and how, the relevant directors consider cybersecurity risk as part of the board’s business strategy, risk management, and financial oversight;
    • Ongoing updates regarding previously disclosed cybersecurity incidents, including any actual or potential material impact to the company’s operations and financial condition, whether the incident has been remediated or such remediation is in process, and any changes to the company’s policies and procedures as a result of the incident; and
    • Disclosure of any series of cybersecurity incidents that are material in the aggregate, even though each incident alone is immaterial, providing similar information as that required under the proposed Form 8-K disclosure.

In addition, under Item 407(j), companies would need to disclose certain information relating to directors’ cybersecurity expertise, including naming any such directors and describing the nature of any such expertise (for example, prior work experience, possession of a cybersecurity certification or degree, or other knowledge, skills, or background in cybersecurity, such as risk management or security operations).

Importantly, as noted above, the proposed rules would require a company to disclose its selection and oversight of third-party entities. This is critical to understand a company’s information security programs and risk posture, as evidenced by several recent high-profile ransomware and cyber operations that have targeted data processing service providers and indirectly caused severe damage and loss to their customers. In turn, it will be important that the information security policies described above include a vendor management process wherein companies are analyzing and verifying the technical, physical, and administrative security controls within a service provider and ensuring any data processing contracts memorialize such information security requirements and properly allocate the liability and risks between the parties.

Many companies already disclose some or all of the matters described above in their SEC filings, particularly in annual meeting proxy statements with respect to board risk oversight and directors’ cybersecurity expertise; those that do not should consider including such disclosures in their proxy statements for upcoming annual meetings. Companies should undertake an assessment of their cybersecurity measures and compliance programs. In addition, companies should be expanding their director and officer questionnaires to solicit information regarding cybersecurity and information technology knowledge and expertise.

Comments are due on the proposal by the later of 30 days after publication in the Federal Register or May 9, 2022.

FOR MORE INFORMATION

For more information, please contact:

Jurgita Ashley
216.566.8928
Jurgita.Ashley@ThompsonHine.com

Steven G. Stransky
216.566.5646
Steven.Stransky@ThompsonHine.com

Julia Miller
216.566.5831
Julia.Miller@ThompsonHine.com

or another member of our Securities, Capital Markets & Corporate Governance or Privacy & Cybersecurity teams. For ESG matters, please contact a member of our ESG Collaborative.

This advisory bulletin may be reproduced, in whole or in part, with the prior permission of Thompson Hine LLP and acknowledgment of its source and copyright. This publication is intended to inform clients about legal matters of current interest. It is not intended as legal advice. Readers should not act upon the information contained in it without professional counsel. This document may be considered attorney advertising in some jurisdictions.

© 2022 THOMPSON HINE LLP. ALL RIGHTS RESERVED.